314 lines
13 KiB
Python
314 lines
13 KiB
Python
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from oslo_concurrency import lockutils
|
|
|
|
from tempest import clients
|
|
from tempest import config
|
|
from tempest.lib import auth
|
|
from tempest.lib.common import dynamic_creds
|
|
from tempest.lib.common import preprov_creds
|
|
from tempest.lib import exceptions
|
|
|
|
CONF = config.CONF
|
|
|
|
|
|
"""This module provides factories of credential and credential providers
|
|
|
|
Credentials providers and clients are (going to be) part of tempest.lib,
|
|
and so they may not hold any dependency to tempest configuration.
|
|
|
|
Methods in this module collect the relevant configuration details and pass
|
|
them to credentials providers and clients, so that test can have easy
|
|
access to these features.
|
|
|
|
Client managers with hard-coded configured credentials are also moved here,
|
|
to avoid circular dependencies."""
|
|
|
|
# === Credential Providers
|
|
|
|
|
|
# Subset of the parameters of credential providers that depend on configuration
|
|
def _get_common_provider_params(identity_version):
|
|
if identity_version == 'v3':
|
|
identity_uri = CONF.identity.uri_v3
|
|
elif identity_version == 'v2':
|
|
identity_uri = CONF.identity.uri
|
|
else:
|
|
raise exceptions.InvalidIdentityVersion(
|
|
identity_version=identity_version)
|
|
return {
|
|
'identity_version': identity_version,
|
|
'identity_uri': identity_uri,
|
|
'credentials_domain': CONF.auth.default_credentials_domain_name,
|
|
'admin_role': CONF.identity.admin_role
|
|
}
|
|
|
|
|
|
def get_dynamic_provider_params(identity_version, admin_creds=None):
|
|
"""Dynamic provider parameters setup from config
|
|
|
|
This helper returns a dict of parameter that can be used to initialise
|
|
a `DynamicCredentialProvider` according to tempest configuration.
|
|
Parameters that are not configuration specific (name, network_resources)
|
|
are not returned.
|
|
|
|
:param identity_version: 'v2' or 'v3'
|
|
:param admin_creds: An object of type `auth.Credentials`. If None, it
|
|
is built from the configuration file as well.
|
|
:return: A dict with the parameters
|
|
"""
|
|
_common_params = _get_common_provider_params(identity_version)
|
|
admin_creds = admin_creds or get_configured_admin_credentials(
|
|
fill_in=True, identity_version=identity_version)
|
|
if identity_version == 'v3':
|
|
endpoint_type = CONF.identity.v3_endpoint_type
|
|
elif identity_version == 'v2':
|
|
endpoint_type = CONF.identity.v2_admin_endpoint_type
|
|
return dict(_common_params, **dict([
|
|
('admin_creds', admin_creds),
|
|
('identity_admin_domain_scope', CONF.identity.admin_domain_scope),
|
|
('identity_admin_role', CONF.identity.admin_role),
|
|
('extra_roles', CONF.auth.tempest_roles),
|
|
('neutron_available', CONF.service_available.neutron),
|
|
('project_network_cidr', CONF.network.project_network_cidr),
|
|
('project_network_mask_bits', CONF.network.project_network_mask_bits),
|
|
('public_network_id', CONF.network.public_network_id),
|
|
('create_networks', (CONF.auth.create_isolated_networks and not
|
|
CONF.network.shared_physical_network)),
|
|
('resource_prefix', 'tempest'),
|
|
('identity_admin_endpoint_type', endpoint_type)
|
|
]))
|
|
|
|
|
|
def get_preprov_provider_params(identity_version):
|
|
"""Pre-provisioned provider parameters setup from config
|
|
|
|
This helper returns a dict of parameter that can be used to initialise
|
|
a `PreProvisionedCredentialProvider` according to tempest configuration.
|
|
Parameters that are not configuration specific (name) are not returned.
|
|
|
|
:param identity_version: 'v2' or 'v3'
|
|
:return: A dict with the parameters
|
|
"""
|
|
_common_params = _get_common_provider_params(identity_version)
|
|
reseller_admin_role = CONF.object_storage.reseller_admin_role
|
|
return dict(_common_params, **dict([
|
|
('accounts_lock_dir', lockutils.get_lock_path(CONF)),
|
|
('test_accounts_file', CONF.auth.test_accounts_file),
|
|
('object_storage_operator_role', CONF.object_storage.operator_role),
|
|
('object_storage_reseller_admin_role', reseller_admin_role)
|
|
]))
|
|
|
|
|
|
def get_credentials_provider(name, network_resources=None,
|
|
force_tenant_isolation=False,
|
|
identity_version=None):
|
|
"""Return the right implementation of CredentialProvider based on config
|
|
|
|
This helper returns the right implementation of CredentialProvider based on
|
|
config and on the value of force_tenant_isolation.
|
|
|
|
:param name: When provided, it makes it possible to associate credential
|
|
artifacts back to the owner (test class).
|
|
:param network_resources: Dictionary of network resources to be allocated
|
|
for each test account. Only valid for the dynamic
|
|
credentials provider.
|
|
:param force_tenant_isolation: Always return a `DynamicCredentialProvider`,
|
|
regardless of the configuration.
|
|
:param identity_version: Use the specified identity API version, regardless
|
|
of the configuration. Valid values are 'v2', 'v3'.
|
|
"""
|
|
# If a test requires a new account to work, it can have it via forcing
|
|
# dynamic credentials. A new account will be produced only for that test.
|
|
# In case admin credentials are not available for the account creation,
|
|
# the test should be skipped else it would fail.
|
|
identity_version = identity_version or CONF.identity.auth_version
|
|
if CONF.auth.use_dynamic_credentials or force_tenant_isolation:
|
|
return dynamic_creds.DynamicCredentialProvider(
|
|
name=name,
|
|
network_resources=network_resources,
|
|
**get_dynamic_provider_params(identity_version))
|
|
else:
|
|
if CONF.auth.test_accounts_file:
|
|
# Most params are not relevant for pre-created accounts
|
|
return preprov_creds.PreProvisionedCredentialProvider(
|
|
name=name,
|
|
**get_preprov_provider_params(identity_version))
|
|
else:
|
|
raise exceptions.InvalidConfiguration(
|
|
'A valid credential provider is needed')
|
|
|
|
|
|
def is_admin_available(identity_version):
|
|
"""Helper to check for admin credentials
|
|
|
|
Helper function to check if a set of admin credentials is available so we
|
|
can do a single call from skip_checks.
|
|
This helper depends on identity_version as there may be admin credentials
|
|
available for v2 but not for v3.
|
|
|
|
:param identity_version: 'v2' or 'v3'
|
|
"""
|
|
is_admin = True
|
|
# If dynamic credentials is enabled admin will be available
|
|
if CONF.auth.use_dynamic_credentials:
|
|
return is_admin
|
|
# Check whether test accounts file has the admin specified or not
|
|
elif CONF.auth.test_accounts_file:
|
|
check_accounts = preprov_creds.PreProvisionedCredentialProvider(
|
|
name='check_admin',
|
|
**get_preprov_provider_params(identity_version))
|
|
if not check_accounts.admin_available():
|
|
is_admin = False
|
|
else:
|
|
try:
|
|
get_configured_admin_credentials(fill_in=False,
|
|
identity_version=identity_version)
|
|
except exceptions.InvalidConfiguration:
|
|
is_admin = False
|
|
return is_admin
|
|
|
|
|
|
def is_alt_available(identity_version):
|
|
"""Helper to check for alt credentials
|
|
|
|
Helper function to check if a second set of credentials is available (aka
|
|
alt credentials) so we can do a single call from skip_checks.
|
|
This helper depends on identity_version as there may be alt credentials
|
|
available for v2 but not for v3.
|
|
|
|
:param identity_version: 'v2' or 'v3'
|
|
"""
|
|
# If dynamic credentials is enabled alt will be available
|
|
if CONF.auth.use_dynamic_credentials:
|
|
return True
|
|
# Check whether test accounts file has the admin specified or not
|
|
if CONF.auth.test_accounts_file:
|
|
check_accounts = preprov_creds.PreProvisionedCredentialProvider(
|
|
name='check_alt',
|
|
**get_preprov_provider_params(identity_version))
|
|
else:
|
|
raise exceptions.InvalidConfiguration(
|
|
'A valid credential provider is needed')
|
|
|
|
try:
|
|
if not check_accounts.is_multi_user():
|
|
return False
|
|
else:
|
|
return True
|
|
except exceptions.InvalidConfiguration:
|
|
return False
|
|
|
|
|
|
# === Credentials
|
|
|
|
# Type of credentials available from configuration
|
|
CREDENTIAL_TYPES = {
|
|
'identity_admin': ('auth', 'admin'),
|
|
'user': ('identity', None),
|
|
'alt_user': ('identity', 'alt')
|
|
}
|
|
|
|
|
|
def get_configured_admin_credentials(fill_in=True, identity_version=None):
|
|
"""Get admin credentials from the config file
|
|
|
|
Read credentials from configuration, builds a Credentials object based on
|
|
the specified or configured version
|
|
|
|
:param fill_in: If True, a request to the Token API is submitted, and the
|
|
credential object is filled in with all names and IDs from
|
|
the token API response.
|
|
:param identity_version: The identity version to talk to and the type of
|
|
credentials object to be created. 'v2' or 'v3'.
|
|
:returns: An object of a sub-type of `auth.Credentials`
|
|
"""
|
|
identity_version = identity_version or CONF.identity.auth_version
|
|
|
|
if identity_version not in ('v2', 'v3'):
|
|
raise exceptions.InvalidConfiguration(
|
|
'Unsupported auth version: %s' % identity_version)
|
|
|
|
conf_attributes = ['username', 'password',
|
|
'project_name']
|
|
|
|
if identity_version == 'v3':
|
|
conf_attributes.append('domain_name')
|
|
conf_attributes.append('user_domain_name')
|
|
conf_attributes.append('project_domain_name')
|
|
conf_attributes.append('system')
|
|
# Read the parts of credentials from config
|
|
params = config.service_client_config()
|
|
for attr in conf_attributes:
|
|
params[attr] = getattr(CONF.auth, 'admin_' + attr)
|
|
# Build and validate credentials. We are reading configured credentials,
|
|
# so validate them even if fill_in is False
|
|
credentials = get_credentials(fill_in=fill_in,
|
|
identity_version=identity_version, **params)
|
|
if not fill_in:
|
|
if not credentials.is_valid():
|
|
msg = ("The admin credentials are incorrectly set in the config "
|
|
"file for identity version %s. Double check that all "
|
|
"required values are assigned.")
|
|
raise exceptions.InvalidConfiguration(msg % identity_version)
|
|
return credentials
|
|
|
|
|
|
def get_credentials(fill_in=True, identity_version=None, **kwargs):
|
|
"""Get credentials from dict based on config
|
|
|
|
Wrapper around auth.get_credentials to use the configured identity version
|
|
if none is specified.
|
|
|
|
:param fill_in: If True, a request to the Token API is submitted, and the
|
|
credential object is filled in with all names and IDs from
|
|
the token API response.
|
|
:param identity_version: The identity version to talk to and the type of
|
|
credentials object to be created. 'v2' or 'v3'.
|
|
:param kwargs: Attributes to be used to build the Credentials object.
|
|
:returns: An object of a sub-type of `auth.Credentials`
|
|
"""
|
|
params = dict(config.service_client_config(), **kwargs)
|
|
identity_version = identity_version or CONF.identity.auth_version
|
|
# In case of "v3" add the domain from config if not specified
|
|
# To honour the "default_credentials_domain_name", if not domain
|
|
# field is specified at all, add it the credential dict.
|
|
if identity_version == 'v3':
|
|
domain_fields = set(x for x in auth.KeystoneV3Credentials.ATTRIBUTES
|
|
if 'domain' in x)
|
|
if (not params.get('system') and
|
|
not domain_fields.intersection(kwargs.keys())):
|
|
domain_name = CONF.auth.default_credentials_domain_name
|
|
# NOTE(andreaf) Setting domain_name implicitly sets user and
|
|
# project domain names, if they are None
|
|
params['domain_name'] = domain_name
|
|
|
|
auth_url = CONF.identity.uri_v3
|
|
else:
|
|
auth_url = CONF.identity.uri
|
|
return auth.get_credentials(auth_url,
|
|
fill_in=fill_in,
|
|
identity_version=identity_version,
|
|
**params)
|
|
|
|
# === Credential / client managers
|
|
|
|
|
|
class AdminManager(clients.Manager):
|
|
"""Manager that uses admin credentials for its managed client objects"""
|
|
|
|
def __init__(self):
|
|
super(AdminManager, self).__init__(
|
|
credentials=get_configured_admin_credentials())
|